b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nAudit Report\nSecurity Planning for National\nSecurity Information Systems at\nLawrence Livermore National\nLaboratory\n\n\n\n\nOAS-M-11-03                          April 2011\n\x0c                                  Department of Energy\n                                    Washington, DC 20585\n                                          April 15, 2011\n\n\nMEMORANDUM FOR THE ADMINISTRATOR, NATIONAL NUCLEAR SECURITY\n                 ADMINISTRATION\n\n\nFROM:                    Rickey R. Hass\n                         Deputy Inspector General for Audits and Inspections\n                         Office of Inspector General\nSUBJECT:                 INFORMATION: Audit Report on "Security Planning for National\n                         Security Information Systems at Lawrence Livermore National\n                         Laboratory"\nBACKGROUND\n\nThe National Nuclear Security Administration (NNSA) is responsible for the maintenance and\nsecurity of the Nation\'s nuclear stockpile, management of nuclear nonproliferation activities, and\noperation of the naval reactor programs. A significant amount of the information related to these\nmission activities is classified and stored or processed in national security information systems.\nThe Lawrence Livermore National Laboratory (LLNL) maintains various national security\nsystems, ranging from diskless workstations to large supercomputers, which process sensitive\nand classified information in support of program objectives.\n\nIn the past, physical and cyber security controls over sensitive and classified information\nthroughout the Department of Energy (Department) have been areas of concern. For example,\nthe Office of Inspector General Special Inquiry on Selected Controls over Classified Information\nat the Los Alamos National Laboratory (OAS-SR-07-01, November 2006) disclosed weaknesses\nthat contributed to the compromise of classified data. In addition, our report on Certification and\nAccreditation of the Department\'s National Security Information Systems (DOE/IG-0800, August\n2008) identified that enhancements were needed at numerous sites, including LLNL, in the areas\nof risk management, security planning and contingency planning to reduce the risk of\ncompromise to national security systems. Given the importance of this area, we initiated this\naudit to determine whether NNSA had developed and implemented an effective risk management\nprocess over its national security information systems at LLNL.\n\nRESULTS OF AUDIT\n\nOur review found that LLNL had taken steps to improve the risk management process for its\nnational security information systems based on our prior reviews. In particular, officials had\ninitiated actions to address the risks associated with separation of incompatible cyber security\nduties and the use of mixed-media environments \xe2\x80\x93 situations where classified and unclassified\nsystems are co-located. However, we found that additional actions are needed in the area of\nsecurity planning and policies to reduce the risk of compromise. In particular, we noted that:\n\n   \xe2\x80\xa2   Three of four system security plans we reviewed were incomplete and did not always\n       sufficiently describe security controls and how they were implemented;\n\x0c                                                2\n\n\n   \xe2\x80\xa2   Contractor officials made security-significant changes to national security systems that\n       potentially increased the risk to those systems without first obtaining approval from the\n       Federal Authorizing Official \xe2\x80\x93 the person ultimately responsible for accepting risks posed\n       by changes to information systems; and,\n\n   \xe2\x80\xa2   NNSA had not incorporated security controls established by the Committee on National\n       Security Systems, the organization designated by Executive Order 13231 to develop\n       policies and standards for protecting national security information systems, into its cyber\n       security policy, thus negatively impacting LLNL\'s ability to meet Federal security\n       requirements.\n\nThese issues were due, at least in part, to inadequate program and site-level policies and\nprocedures for protecting national security information systems. For example, NNSA cyber\nsecurity program policies had not been updated since May 2008, and were not aligned with\ncurrent Federal and Department requirements. The problems identified persisted because of\ninsufficient performance monitoring by Headquarters and Site Office Federal officials. For\ninstance, Federal officials responsible for oversight had not always ensured that changes to\nsystems were appropriate and in accordance with risks identified and accepted as part of the\nsystems\' authorization to operate.\n\nWithout improvements, the weaknesses identified may limit program and site-level officials\'\nability to make informed risk-based decisions that support the protection of classified\ninformation and the systems on which it resides. LLNL officials reported that they are currently\nreforming the site\'s system authorization process and recertifying its national security\ninformation systems to better align with current NNSA policies. While these are positive\nactions, additional effort is necessary. As such, we have made several recommendations that, if\nfully implemented, should help enhance NNSA\'s and LLNL\'s management of risk over national\nsecurity information systems.\n\nMANAGEMENT REACTION\n\nManagement indicated that it generally agreed with the report\'s findings. While the Livermore\nSite Office did not agree with the report\'s recommendations, management commented that\ncorrective actions were already underway to address issues identified in the report. However, no\nspecific corrective actions were included in management\'s comments. In addition, management\ndisagreed with several of the conclusions in the report related to policy implementation and\nperformance monitoring. As appropriate, we modified our report in response to management\'s\ncomments which are included in their entirety in Appendix 3.\n\nAttachment\n\ncc: Deputy Secretary\n    Associate Deputy Secretary\n    Chief of Staff\n    Chief Health, Safety and Security Officer\n    Chief Financial Officer\n    Chief Information Officer\n\x0cREPORT ON SECURITY PLANNING FOR NATIONAL SECURITY\nINFORMATION SYSTEMS AT LAWRENCE LIVERMORE\nNATIONAL LABORATORY\n\nTABLE OF\nCONTENTS\n\n\nSecurity Planning over National Security Information Systems\n\nDetails of Finding ................................................................................................................1\n\nRecommendations and Comments .......................................................................................6\n\n\nAppendices\n\n1.    Objective, Scope and Methodology .............................................................................9\n\n2.    Related Reports ..........................................................................................................11\n\n3.    Management Comments .............................................................................................12\n\x0cSecurity Planning for National Security Information Systems at\nLawrence Livermore National Laboratory\nSecurity Planning over   Our audit found that system security plans for certain national\nNational Security        security information systems at Lawrence Livermore National\nInformation Systems      Laboratory (LLNL) were incomplete and did not always\n                         sufficiently describe security controls and/or how controls were\n                         implemented. In addition, the Livermore Site Office (LSO)\n                         Federal Authorizing Official was not always notified when\n                         changes that may have been security-significant were made to\n                         LLNL\'s national security systems. We also found that\n                         minimum baseline security controls required by the Committee\n                         on National Security Systems (CNSS) had not been\n                         incorporated into National Nuclear Security Administration\n                         (NNSA) policy, thereby impacting LLNL\'s ability to meet\n                         Federal cyber security requirements. As noted in Executive\n                         Order 13231, CNSS is the originator of national-level policies\n                         and standards for the security of national security information\n                         systems.\n\n                                           Minimum Security Controls\n\n                         Three of four system security plans we reviewed were\n                         incomplete and did not always sufficiently describe security\n                         controls and how they were implemented on the systems.\n                         Internal oversight organizations have identified similar issues\n                         during prior reviews at LLNL and our current review found\n                         that these weaknesses had not been fully addressed. For\n                         instance:\n\n                            \xe2\x80\xa2   LLNL\'s Security Plan Policy (SPP) which described\n                                institutional security controls common to numerous\n                                classified information systems was not always\n                                complete. For instance, although required by NNSA\n                                policy, the plan did not adequately address how records\n                                of attempts to access facilities housing classified\n                                systems were to be maintained. In another instance, the\n                                SPP did not sufficiently describe how fire protection\n                                controls had been implemented to prevent or suppress\n                                fires. Without a thorough description of how these\n                                controls are implemented, security assessors may not be\n                                able to design test procedures to determine how\n                                effectively controls are being implemented. We noted\n                                similar weaknesses for more than 25 controls covering\n                                areas such as media protection, system integrity, and\n                                system acquisition in the SPP. The issues identified are\n                                particularly important in this case because the controls\n                                in the SPP are to be implemented on various national\n                                security systems across the laboratory.\n\nPage 1                                                                Details of Finding\n\x0c             \xe2\x80\xa2 Although NNSA policy required that all security\n               controls be identified within security plans by name and\n               description, LLNL plans we reviewed did not always\n               provide this level of specificity. Rather, we found that\n               the security controls documented in three of the security\n               plans we reviewed contained only high-level\n               information about the systems, their boundaries, and\n               how they were protected. However, many of the\n               controls identified did not provide sufficient detail so\n               that an independent security assessor could identify\n               what was required and how the control had been\n               implemented. For example, while the plan for the\n               system containing Secret Restricted Data described\n               diskless computers as having backups performed\n               monthly, it did not identify where, or in what form, the\n               backups were stored or how backups were to be tested\n               for reliability. In preliminary comments on our report,\n               Federal management stated that it had identified similar\n               weaknesses and had directed LLNL to take corrective\n               actions.\n\n             \xe2\x80\xa2 The Secure Computing Facility (SCF) system security\n               plan also disclosed that affected parties should be\n               notified and the system owner should implement\n               procedures to purchase replacement equipment in the\n               event the SCF systems were unavailable. An SCF\n               official explained that should the LLNL location be\n               deemed unsuitable, NNSA would likely copy the\n               alternate processing site\'s supercomputer design, which\n               is significantly different from that currently utilized by\n               the system, to re-build the system at the alternate\n               location. The official also stated that, operationally,\n               this made more sense than rebuilding the SCF\'s unique\n               architecture at the alternate site. However, this course\n               of action and the associated risk-based rationale was not\n               documented in the system security plan; therefore, the\n               Federal Authorizing Official had no opportunity to\n               evaluate the balance of risks and mitigation inherent in\n               this course of action.\n\n                       Managing Changes to System Risk\n\n         The Federal Authorizing Official was not always notified when\n         potentially security-significant changes were made to LLNL\'s\n         national security systems. For example, contractor officials at\n         LLNL made security-significant changes to the Ground-Based\n\nPage 2                                               Details of Finding\n\x0c         Nuclear Explosion Monitoring (GNEM) system without first\n         notifying and obtaining approval from the Federal Authorizing\n         Official \xe2\x80\x93 the person ultimately responsible for accepting risks\n         posed by changes. Specifically, 2 of 10 changes made since\n         the system was last authorized to operate in May 2007, were\n         considered security-significant by LLNL contractor officials.\n         We also noted that two additional changes involving physical\n         modifications to the system\'s accreditation boundary should\n         have been considered security-significant but were not.\n         However, none of these changes had been formally presented\n         to or approved by the Federal Authorizing Official even though\n         they affected the level of risk to the information system. We\n         identified similar issues at LLNL in our previous audit on\n         Certification and Accreditation of the Department\'s National\n         Security Information Systems (DOE/IG-0800, August 2008).\n\n         In addition, change control forms completed by contractor\n         officials for the GNEM system stated that the changes had\n         "been reviewed and the implementation is approved for\n         classified data processing under the existing accreditation."\n         However, the National Institute of Standards and Technology\n         (NIST) and NNSA policy both require that only the Federal\n         Authorizing Official is allowed to make risk acceptance and\n         operation decisions. As noted above, none of the 10 change\n         forms had been reviewed and/or approved by the Federal\n         Authorizing Official. During our discussions, the Federal\n         Authorizing Official stated that he was not familiar with the\n         change forms for the GNEM system. Furthermore, in the case\n         of the GNEM system, the security plan had not been updated to\n         reflect and incorporate the security-significant changes\n         identified even though required by NIST. Without timely\n         updates, the Federal Authorizing Official may not have been\n         aware that the GNEM system\'s components required different\n         security controls because the system had been moved to a new\n         location due to the destruction of the building described in the\n         security plan. Also, we noted that security-significant changes\n         to the Credibility Assessment Network and Protection Planning\n         & Program Support systems were not approved by the Federal\n         Authorizing Official.\n\n                   Incorporation of National-Level Standards\n\n         During our audit a separate matter came to our attention that\n         impacted the completeness of system security plans at LLNL.\n         Specifically, we found that minimum baseline security controls\n         required by the CNSS and DOE Order 205.1A had not been\n\n\n\nPage 3                                               Details of Finding\n\x0c                           incorporated into NNSA policy. Direction issued by CNSS\n                           requires that control baselines documented in NIST Special\n                           Publication 800-53, Revision 3, be incorporated into system\n                           security plans for systems authorized after October 2009.\n                           However, we noted that more than 90 security controls and\n                           control enhancements related to areas such as access controls\n                           and media protection had not been incorporated into the NNSA\n                           Policy Letters. As a result, approximately 32 percent of\n                           required controls were not required to be documented within\n                           the site system security plans or tested as part of the system\n                           authorization process. As noted in DOE Order 205.1A,\n                           Program Cyber Security Plans are living documents and must\n                           be maintained to comply with, among other things, policies\n                           promulgated by the CNSS.\n\nSecurity Policies and  The issues identified were due, at least in part, to inadequate\nProcedures and         program-level policies for protecting national security\nPerformance Monitoring information systems. In addition, insufficient performance\n                       monitoring by Headquarters and LSO officials contributed to\n                       weaknesses not being identified and addressed, as appropriate.\n\n                                       Cyber Security Policies and Procedures\n\n                           NNSA officials had not established policy that was as stringent\n                           as Department of Energy (Department) directives and Federal\n                           requirements. In particular, NNSA Policy Letters had not been\n                           updated to incorporate revisions to the Federal minimum\n                           required security control baselines. We noted that NNSA\n                           policy had not been revised since May 2008 and, therefore, did\n                           not direct sites to follow current Federal requirements such as\n                           CNSS Instruction 1253. In comments on our draft report,\n                           NNSA management stated that updates to Department-level\n                           directives would require implementation of the CNSS controls.\n                           However, management did not provide a timeline for the\n                           issuance and implementation of the updated policy. As noted,\n                           approximately 32 percent of required controls had not been\n                           fully addressed as part of the system authorization process. As\n                           LLNL and other NNSA sites are required to follow the NNSA\n                           program-level policy, it is important that the policies be\n                           updated to reflect current Federal requirements.\n                                                 Performance Monitoring\n\n                           NNSA officials at Headquarters and the LSO had not always\n                           performed sufficient monitoring of activities involving national\n                           security information systems at LLNL. During our discussions\n                           with Headquarters officials, we learned that they had not\n\n\n\nPage 4                                                                 Details of Finding\n\x0c         conducted any recent reviews of national security information\n         systems due to competing demands and resource constraints.\n         Rather, Headquarters officials depended on Federal personnel\n         at the sites to provide sufficient oversight. However, we noted\n         that, in December 2009, NNSA imposed a six-month\n         moratorium on assessment activities while a new oversight\n         approach was developed. As a result, no reviews of national\n         security information systems were conducted at NNSA sites\n         until late in Fiscal Year 2010. LSO management noted that it\n         had since conducted a comprehensive survey, and the site was\n         working toward addressing those issues identified during the\n         survey and in our report.\n\n         We found that system security plans were incomplete because\n         LLNL officials had not followed NNSA policies that required a\n         thorough description of how all minimum security controls\n         were being implemented. The LSO Federal Authorizing\n         Official stated that the security plans did not provide much\n         detail about the systems because LLNL Information\n         Technology program officials, system owners, and others with\n         security-significant responsibilities, were intimately familiar\n         with the systems and operating environment. Therefore, he\n         believed that the system security plans and supporting\n         documents were sufficient. However, in addition to being\n         contrary to Federal and Department direction, this practice\n         could prove problematic should individuals that are unfamiliar\n         with the environment need to review or implement the plans.\n         For example, a third-party security assessor would not be\n         familiar enough with the LLNL computing environment to\n         design assessment procedures for a system without reliance on\n         a well-defined system security plan and SPP document. In\n         addition, an assessment conducted by the Department\'s Office\n         of Health, Safety and Security in 2008 identified similar\n         weaknesses with the site\'s security planning activities. To help\n         address this issue, subsequent to our review, LSO officials\n         stated that they had provided guidance to LLNL regarding the\n         level of specificity required for security control descriptions.\n\n         The designated LSO Federal official also had not ensured that\n         security-significant system changes were brought to his\n         attention for review and approval. Although NNSA policy\n         required that security-significant changes be determined by the\n         Designated Approving Authority, site-level policy and\n         procedures approved by the Federal Authorizing Official gave\n         LLNL\'s cyber security organization full discretion to determine\n         whether security-significant changes to national security\n\n\n\nPage 5                                               Details of Finding\n\x0c                      systems increased residual risk and thus should be presented to\n                      the designated Federal official. The Federal Authorizing\n                      Official\'s representative told us that having these changes\n                      approved by the cyber security organization was acceptable\n                      because that official was comfortable that the cyber security\n                      organization had enough familiarity with the systems. To his\n                      credit, the designated Federal official recently issued direction\n                      to the site outlining specific instances of system changes that\n                      required his explicit approval. In addition, the Federal\n                      Authorizing Official\'s representative noted that LSO performed\n                      broad assessments to determine whether the site contractor had\n                      met contract performance measures for security, which\n                      included limited reviews of security controls on national\n                      security information systems.\n\nNational Security     Without improvements, LLNL contractor and Federal officials\nInformation Systems   may not be able to make informed risk-based decisions that\nAssurance             support the protection of classified information and the systems\n                      on which it resides. For example, LLNL contractor officials\n                      did not test all Federally-required controls during recent system\n                      authorization activities due to their exclusion from program-\n                      level policy. As a result, the existence and need for\n                      implementation of those controls was not part of the site\'s risk-\n                      based consideration to operate the systems. In addition,\n                      incomplete descriptions of controls in system security plans\n                      may limit the ability of officials to test the effectiveness of\n                      controls over the information systems. Furthermore, system\n                      operators could potentially introduce untested, security-\n                      significant changes that may impact the risk to the LLNL\n                      computing environment if changes are made without the\n                      knowledge and approval of designated Federal officials. As\n                      noted in our Special Inquiry Report to the Secretary: Selected\n                      Controls over Classified Information at the Los Alamos\n                      National Laboratory (OAS-SR-07-01, November 2006),\n                      numerous weaknesses in controls over national security\n                      information systems, including an inadequate change control\n                      process, contributed to the unauthorized release of classified\n                      information.\n\nRECOMMENDATIONS       To help improve the effectiveness of the risk management\n                      process for national security systems, we recommend that the\n                      Administrator, National Nuclear Security Administration, in\n                      conjunction with the NNSA Chief Information Officer:\n\n\n\n\nPage 6                                         Recommendations and Comments\n\x0c                1. Revise the NNSA Policy Letters to more closely reflect\n                   current direction from the Department and the CNSS;\n                   and,\n\n                2. Develop and implement effective procedures for\n                   monitoring the adequacy and sufficiency of protections\n                   over national security information systems.\n\n             We recommend that the Manager, Livermore Site Office, direct\n             cognizant Lawrence Livermore National Security officials to:\n\n                3. Ensure that information system owners and system\n                   security officers employ a fully effective risk\n                   management process, to include ensuring that system\n                   security plans adequately address all minimum security\n                   controls; and,\n\n                4. Ensure that security-significant changes potentially\n                   impacting the risk to information systems are\n                   consistently elevated to the Federal Authorizing Official\n                   for explicit approval.\n\nMANAGEMENT   Management indicated that it generally agreed with the report\'s\nREACTION     findings. While LSO did not agree with the report\'s\n             recommendations, management commented that corrective\n             actions were already underway to address weaknesses identified\n             in the report. However, no specific corrective actions were\n             included in management\'s comments. In addition, management\n             disagreed with several of the conclusions in the report, as\n             summarized below.\n\n             Management commented that it did not believe the conclusions\n             documented in our report can be extrapolated to determine the\n             state of the entire risk management program at LLNL. Rather,\n             management stated that the findings in the report should only\n             reflect issues surrounding the maintenance of security\n             documentation and issues that LSO had self-identified as part of\n             its performance monitoring process. In addition, management\n             commented that it was not appropriate to measure LLNL against\n             Federal requirements for security controls and system\n             categorizations that were not included in its contract or NNSA\n             policy. LSO believed that it was inappropriate to require LLNL\n             to implement controls not authorized or funded by the\n             Department and/or NNSA. Specifically, management stated\n             that LLNL was not required to follow CNSS Instruction 1253,\n             but noted that the Department was working to update its cyber\n             security directive to include this Federal policy. LSO officials\n\n\nPage 7                                                          Comments\n\x0c                   also disclosed that the issues we identified with the site\'s\n                   performance monitoring activities were a result of direction\n                   received from NNSA Headquarters. Furthermore, management\n                   was concerned with changes to the scope of the audit and\n                   commented that the report should be modified to separate issues\n                   at NNSA Headquarters from those specific to LLNL. At the\n                   conclusion of our audit, NNSA officials commented that a\n                   contributing factor to the problems identified during our review\n                   was the Department\'s inability to update existing cyber security\n                   directives in a timely manner to meet Federal requirements.\n                   Officials believed that this impacted their ability to update\n                   program-level policies and resulted in certain security\n                   requirements not being met.\n\nAUDITOR COMMENTS   While we acknowledge management\'s concerns, we believe that\n                   the findings and recommendations identified in the report are\n                   appropriate. In particular, we agree that LLNL was not\n                   responsible for implementing baseline security controls that\n                   were not included in contractually required directives.\n                   However, as noted in our report, it was the responsibility of\n                   NNSA management to ensure that its policies were updated in a\n                   timely manner and implemented as appropriate. We also agree\n                   that LSO\'s performance monitoring activities were impacted\n                   when NNSA issued its moratorium on site assessments; and we\n                   modified our report to better reflect the reasons monitoring had\n                   not been performed.\n\n                   Although management noted in its comments that the\n                   Department was updating DOE Order 205.1A to include CNSS\n                   Instruction 1253, such modifications remained incomplete. In\n                   addition, most of the issues identified in our report were related\n                   to not meeting existing Department and/or NNSA requirements,\n                   not CNSS Instruction 1253. Furthermore, while management\n                   was concerned about changes to the scope of the audit, we\n                   believe it was appropriate to limit our review to LLNL and\n                   Headquarters due to the issues identified at the site. Also,\n                   because a number of the weaknesses identified at LLNL were\n                   the result of inadequate policies issued by NNSA Headquarters,\n                   the inclusion of both Headquarters and site-specific issues in the\n                   report was appropriate. In addition, our evaluation focused on\n                   reviews of documentation maintained to support the site\'s risk\n                   management process as well as reviews of the processes used by\n                   the site to manage cyber security. We modified our report, as\n                   necessary, in response to management\'s comments.\n                   Management\'s comments are included in Appendix 3.\n\n\n\n\nPage 8                                                                 Comments\n\x0cAppendix 1\n\nOBJECTIVE     To determine whether the National Nuclear Security\n              Administration (NNSA) had developed and implemented an\n              effective risk management process over its national security\n              information systems at the Lawrence Livermore National\n              Laboratory (LLNL).\n\nSCOPE         The audit was performed between March 2010 and April 2011,\n              at Department of Energy (Department) Headquarters in\n              Washington, DC and at the LLNL in Livermore, California.\n              The audit was limited to a review of LLNL\'s risk management\n              process for national security information systems, but did not\n              include a review of systems containing Sensitive\n              Compartmented Information.\n\nMETHODOLOGY   To accomplish our objective, we:\n\n                   \xe2\x80\xa2   Reviewed applicable laws and Department directives,\n                       including those pertaining to security of national\n                       security information systems;\n\n                   \xe2\x80\xa2   Reviewed applicable standards and guidance issued\n                       by the Office of Management and Budget, the\n                       Committee on National Security Systems, and the\n                       National Institute of Standards and Technology;\n\n                   \xe2\x80\xa2   Reviewed prior reports issued by the Office of\n                       Inspector General and the Office of Health, Safety\n                       and Security;\n\n                   \xe2\x80\xa2   Obtained documentation from and held discussions\n                       with officials from the Department\'s Office of the\n                       Chief Information Officer, NNSA, and contractor\n                       personnel relating to system security; and,\n\n                   \xe2\x80\xa2   Analyzed system documentation to determine\n                       whether the risks of operating selected national\n                       security information systems had been addressed.\n\n              We conducted this performance audit in accordance with\n              generally accepted Government auditing standards. Those\n              standards require that we plan and perform the audit to obtain\n              sufficient, appropriate evidence to provide a reasonable basis\n              for our findings and conclusions based on our audit objectives.\n              We believe that the evidence obtained provides a reasonable\n              basis for our findings and conclusions based on our audit\n              objectives. Accordingly, we assessed significant internal\n\n\n\nPage 9                                 Objective, Scope and Methodology\n\x0cAppendix 1 (continued)\n\n                    controls and NNSA\'s implementation of the Government\n                    Performance and Results Act of 1993 and determined that it\n                    had established performance measures for cyber security\n                    reviews, but these were not necessarily specific to the\n                    management and operation of its national security information\n                    systems. Because our review was limited, it would not have\n                    necessarily disclosed all internal control deficiencies that may\n                    have existed at the time of our evaluation. We did not rely on\n                    computer-processed data to satisfy our audit objectives. Our\n                    review also did not include technical testing of specific\n                    information systems.\n\n                    An exit conference was held with NNSA officials on April 4,\n                    2011.\n\n\n\n\nPage 10                                      Objective, Scope and Methodology\n\x0cAppendix 2\n\n                                   RELATED REPORTS\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Certification and Accreditation of the Department\'s National Security Information\n       Systems (DOE/IG-0800, August 2008). We found that at five of the six sites included\n       in our audit, risks such as a lack of separation of duties and the presence of\n       unclassified and classified systems operating in the same environment had not been\n       addressed in system security plans. In many instances, security plans, or changes to\n       systems, were not appropriately approved by Department of Energy (Department)\n       officials. Further, in certain cases, plans did not accurately reflect the actual\n       environment in which the system operated; and, at five of the six sites reviewed,\n       contingency plans had not been developed for national security information systems \xe2\x80\x93\n       a critical activity required to mitigate the risk of service disruption. Several problems\n       contributed to the weaknesses identified during our review. In particular, the\n       Department had not yet fully developed and implemented adequate cyber security\n       policies to ensure that national security information systems were adequately\n       protected. In addition, Federal and contractor officials did not always utilize effective\n       mechanisms to monitor performance of security controls.\n\n   \xe2\x80\xa2   Special Inquiry Report to the Secretary: Selected Controls over Classified\n       Information at the Los Alamos National Laboratory (OAS-SR-07-01, November\n       2006). Our review revealed that significant and pervasive information security\n       weaknesses placed Los Alamos National Laboratory\'s (LANL) classified computing\n       operations and assets at high risk. We found that while LANL had developed policies\n       designed to protect classified information, in many instances these were not\n       effectively deployed to prevent serious security weaknesses at the classified\n       computing facility. Specifically, classified information was diverted by a subcontract\n       employee using an unapproved \xe2\x80\x93 but readily accessible \xe2\x80\x93 networked printer and an\n       unauthorized flash drive to copy and remove classified information. In addition, we\n       identified deficiencies related to mixed-media vulnerabilities, unneeded access to\n       computing resources, as well as a failure to operate within classified information\n       system accreditation boundaries.\n\n\n\n\nPage 11                                                                      Related Reports\n\x0cAppendix 3\n\n\n\n\nPage 12      Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 13                  Management Comments\n\x0c                                                             IG Report No. OAS-M-11-03\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones at (202) 586-7013.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'